Nested Kernel

Dautenhahn, Nathan; Kasampalis, Theodoros; Dietz, Will; Criswell, John; Adve, Vikram

doi:10.1145/2775054.2694386

Cited by 15 publications

(5 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Then, they inserted secure monitor calls (SMCs), which are special instructions to transfer the control from the normal world to the secure world, into the kernel code and verified the integrity of the kernel in the secure world when SMCs are executed. Some approaches [3,5,6,37] hardened the kernel itself without any supports of a higher privileged layer such as hypervisor and TrustZone. Instead, to build an SEE in the kernel address space, they utilized features of the processor architecture such as WP [6] in Intel x86 and TxSZ [5] in the ARM.…”

Section: Related Workmentioning

confidence: 99%

“…Some approaches [3,5,6,37] hardened the kernel itself without any supports of a higher privileged layer such as hypervisor and TrustZone. Instead, to build an SEE in the kernel address space, they utilized features of the processor architecture such as WP [6] in Intel x86 and TxSZ [5] in the ARM. They split the kernel into the secure domain and non-secure domain, then put the higher privilege to the secure domain than the non-secure domain by assigning sensitive kernel operations such as page table and system control register management to the secure domain.…”

Section: Related Workmentioning

confidence: 99%

“…To protect the kernel against kernel-level attacks and rootkits [2], many researchers have devised mechanisms to monitor the integrity of the OS kernel in a secure execution environment that is isolated from the monitored kernel. To implement an SEE, several studies have proposed software-based techniques that mandate either the instrumentation of kernel code [3][4][5][6] or the introduction of a higher privileged layer [7,8] (i.e., hypervisor).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Hardware Platform for Ensuring OS Kernel Integrity on RISC-V

2021

View full text Add to dashboard Cite

The OS kernel is typically preassumed as a trusted computing base in most computing systems. However, it also implies that once an attacker takes control of the OS kernel, the attacker can seize the entire system. Because of such security importance of the OS kernel, many works have proposed security solutions for the OS kernel using an external hardware module located outside the processor. By doing this, these works can realize the physical isolation of security solutions from the OS kernel running in the processor, but they cannot access the inner state of the processor, which attackers can manipulate. Thus, they elaborated several methods to overcome such limited capability of external hardware. However, those methods usually come with several side effects, such as high-performance overhead, kernel code modifications, and/or excessively complicated hardware designs. In this paper, we introduce RiskiM, a new hardware-based monitoring platform to ensure kernel integrity from outside the host system. To deliver the inner state of the host to RiskiM, we have devised a hardware interface architecture, called PEMI. Through PEMI, RiskiM is supplied with all internal states of the host system essential for fulfilling its monitoring task to protect the kernel. To empirically validate our monitoring platform’s security strength and performance, we have fully implemented PEMI and RiskiM on a RISC-V based processor and FPGA, respectively. Our experiments show that RiskiM succeeds in the host kernel protection by detecting even the advanced attacks which could circumvent previous solutions, yet suffering from virtually no aforementioned side effects.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Hardware Platform for Ensuring OS Kernel Integrity on RISC-V

2021

View full text Add to dashboard Cite

show abstract

“…Virtual Ghost offers better performance than a hardware virtualizationbased approach [10], but Virtual Ghost is much slower than an ARM TrustZone based approach, TrustShadow [9]. Some studies [16], [34] provide trusted kernel execution environments without special hardware features. For example, in SKEE [34], A. M. Azab et al proposed a framework to support the trusted kernel execution environment.…”

Section: B Software-based Teementioning

confidence: 99%

“…The first way is to put the module and the kernel in the same address space. Instead, the module is hidden from the kernel via address space randomization (ASR) [32] or protected by write protection (WP) in x86 [16]. The system with ASR is less likely to be attacked, so the module is expected to be safe, but in practice, it is not secure.…”

Section: Kernel Deprivilegingmentioning

confidence: 99%

SofTEE: Software-Based Trusted Execution Environment for User Applications

Lee

Park

2020

IEEE Access

View full text Add to dashboard Cite

Commodity operating systems are considered vulnerable. Therefore, when an application handles security-sensitive data, it is highly recommended to run the application in a trusted execution environment. In response to this demand, hardware-based trusted execution environments such as Intel SGX and ARM TrustZone have been developed in commodity computers. However, hardware-based approaches cannot be quickly upgraded to address design vulnerabilities or to reflect customer feedback. In this paper, we propose SofTEE, a software framework to support a trusted execution environment for user applications. For a trusted execution environment, SofTEE should support memory isolation and attestation. For memory isolation, SofTEE relies on kernel deprivileging which delegates the execution of privileged operations such as memory management, from a kernel to a special module called a security monitor. To reduce the overhead of switching between the deprivileged kernel and the security monitor, SofTEE proposes an efficient management mechanism of the address space identifier. SofTEE supports attestation by assuming minimal hardware functionalities of random entropy and root of trust. The main challenge of SofTEE is to guarantee security properties like confidentiality and integrity of security-sensitive applications. For security analysis, we have identified security invariants that SofTEE should meet for confidentiality and integrity guarantees. Based on the security invariants, we have designed and prototyped each component of SofTEE on a Raspberry Pi 3 board. SofTEE produces about 3% overhead in case of a security-sensitive application with long execution time and 23% overhead in case of a security-sensitive application with short execution time.

show abstract